How is CVE-2026-39537 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS from a remote location. Authentication (not-required): No account or session credentials are needed; the attacker can trigger the vulnerability as an anonymous visitor. Victim interaction (not-required): Exploitation is fully server-side and does not require any action from an administrator or other user. Attack complexity (info): Attack complexity is rated HIGH, meaning the attacker must navigate race conditions, specific server configurations, or other environmental factors to reliably achieve inclusion of a target file.

What is the impact of CVE-2026-39537?

An attacker can read arbitrary files on the server filesystem, including WordPress configuration files that contain database credentials and secret keys. An attacker can read application source code and environment files, exposing API tokens and integration secrets stored on disk. Where server configuration permits, an attacker can include and execute a server-side file to achieve remote code execution, allowing arbitrary command execution on the host. Successful exploitation can lead to full integrity compromise of the WordPress application, including modification of content, users, and settings.

Back to search

HIGHCVE-2026-39537Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39537: WordPress Mikado Core plugin <= 1.6 - Local File Inclusion vulnerability

Q: What is CVE-2026-39537?

An unauthenticated local file inclusion vulnerability affects the Mikado Core WordPress plugin at version 1.6 and earlier. It is reachable over the network and requires no login, though exploitation involves elevated attack complexity. Successful exploitation gives an attacker full read access to files on the server, the ability to tamper with data, and can result in remote code execution depending on available server-side files. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39537 patched?

No fix version has been published upstream for CVE-2026-39537. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated local file inclusion vulnerability affects the Mikado Core WordPress plugin at version 1.6 and earlier. It is reachable over the network and requires no login, though exploitation involves elevated attack complexity. Successful exploitation gives an attacker full read access to files on the server, the ability to tamper with data, and can result in remote code execution depending on available server-side files. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-39537 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built images that bundle this WordPress plugin. Any image carrying Mikado Core at version 1.6 or earlier is flagged automatically.

Available

Triage

Triage is available at a CVSS v3.1 score of 8.1 (HIGH), and each finding is weighted against the compliance policy configured for the affected environment before being routed to the appropriate team inbox within the customer organization.

Available

Patch

No fix version has been published upstream for CVE-2026-39537. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS from a remote location.
AuthenticationNot required
No account or session credentials are needed; the attacker can trigger the vulnerability as an anonymous visitor.
Victim interactionNot required
Exploitation is fully server-side and does not require any action from an administrator or other user.
Attack complexityDetail
Attack complexity is rated HIGH, meaning the attacker must navigate race conditions, specific server configurations, or other environmental factors to reliably achieve inclusion of a target file.

Blast Radius

An attacker can read arbitrary files on the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
An attacker can read application source code and environment files, exposing API tokens and integration secrets stored on disk.
Where server configuration permits, an attacker can include and execute a server-side file to achieve remote code execution, allowing arbitrary command execution on the host.
Successful exploitation can lead to full integrity compromise of the WordPress application, including modification of content, users, and settings.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-39537 is active across all customer environments, matching any image that bundles Mikado Core at version 1.6 or earlier. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle. The moment a patched version is released, a rebuilt image at that version becomes available, and for customers who opt into auto-remediation, a regression test run and a pull request against affected workloads are opened automatically. In the interim, compensating controls worth considering include network-policy rules that restrict public HTTP access to WordPress installations running this plugin, egress filtering to limit the server-side file paths accessible to the web process, and disabling any plugin features that accept user-controlled file path parameters until a vendor patch is available.

See how HarborGuard automates this

Affected packages

Mikado-Themes / Mikado Core
≤ 1.6

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified